I would prefer that DBI issued a warning or even refuse to work with inline values, but that would add a lot of overhead, as DBI would need to actually parse the SQL statement.

Worse than that, it would simply be impossible to do.

On receiving the query "SELECT * FROM foo WHERE bar = 'baz'", how would DBI know whether it had been called as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = 'baz'"); (which is fine - the baz is a hard-coded literal) or as $dbh->selectall_arrayref("SELECT * FROM foo WHERE bar = '$myvar'"); (which is potentially dangerous)? Even if it could make that determination, in the latter case, how would it know whether $myvar's value came from user input (unsafe) or the statement my $myvar = 'baz'; (another hard-coded literal, so safe)?

We've already got taint mode and you can set DBI to reject tainted values (DBI->connect(..., { TaintIn => 1 })), but that's about as close as you're likely to be able to get.